www.it-ebooks.info HACKING EXPOSED ™ 6: NETWORK SECURITY SECRETS & SOLUTIONS www.it-ebooks.info This page intentionally left blank www.it-ebooks.info HACKING EXPOSED ™ 6: NETWORK SECURITY SECRETS & SOLUTIONS STUART M C CLURE JOEL SCAMBRAY GEORGE KURTZ New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto www.it-ebooks.info Copyright © 2009 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-161375-0 MHID: 0-07-161375-7 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-161374-3, MHID: 0-07-161374-9. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training pro- grams. To contact a representative please visit the Contact Us page at www.mhprofessional.com. Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, dis- seminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own non- commercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to com- ply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DIS- CLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MER- CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the func- tions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. www.it-ebooks.info For my beautiful boys, ilufaanmw… For Samantha, lumlg… tml!!! - —Stuart To my little Rock Band: you are my idols. —Joel To my loving family, Anna, Alexander, and Allegra, who provide inspiration, guidance, and unwavering support. To my mom, Victoria, for helping me defi ne my character and for teaching me to overcome adversity. —George www.it-ebooks.info vi Hacking Exposed 6: Network Security Secrets & Solutions ABOUT THE AUTHORS Stuart McClure, CISSP, CNE, CCSE Widely recognized for his extensive and in-depth knowledge of security products, Stuart McClure is considered one of the industry’s leading authorities in information security today. A well-published and acclaimed security visionary, McClure has over two decades of technology and executive leadership with profound technical, operational, and financial experience. Stuart McClure is Vice President of Operations and Strategy for the Risk & Compliance Business Unit at McAfee, where he is responsible for the health and advancement of security risk management and compliance products and service solutions. In 2008, Stuart McClure was Executive Director of Security Services at Kaiser Permanente, the world’s largest health maintenance organization, where he oversaw 140 security professionals and was responsible for security compliance, oversight, consulting, architecture, and operations. In 2005, McClure took over the top spot as Senior Vice President of Global Threats, running all of AVERT. AVERT is McAfee’s virus, malware, and attack detection signature and heuristic response team, which includes over 140 of the smartest programmers, engineers, and security professionals from around the world. His team monitored global security threats and provided follow-the-sun signature creation capabilities. Among his many tactical responsibilities, McClure was also responsible for providing strategic vision and marketing for the teams to elevate the value of their security expertise in the eyes of the customer and the public. Additionally, he created the semiannual Sage Magazine, a security publication dedicated to monitoring global threats. Prior to taking over the AVERT team, Stuart McClure was Senior Vice President of Risk Management Product Development at McAfee, Inc., where he was responsible for driving product strategy and marketing for the McAfee Foundstone family of risk mitigation and management solutions. Prior to his role at McAfee, McClure was founder, president, and chief technology officer of Foundstone, Inc., which was acquired by McAfee in October 2004 for $86M. At Foundstone, McClure led both the product vision and strategy for Foundstone, as well as operational responsibilities for all technology development, support, and implementation. McClure drove annual revenues over 100 percent every year since the company’s inception in 1999. McClure was also the author of the company’s primary patent #7,152,105. In 1999, he created and co-authored Hacking Exposed: Network Security Secrets & Solutions, the best-selling computer security book, with over 500,000 copies sold to date. The book has been translated into more than 26 languages and is ranked the #4 computer book ever sold—positioning it as one of the best-selling security and computer books in history. McClure also co-authored Hacking Exposed Windows 2000 (McGraw-Hill Professional) and Web Hacking: Attacks and Defense (Addison-Wesley). Prior to Foundstone, McClure held a variety of leadership positions in security and IT management, with Ernst & Young’s National Security Profiling Team, two years as an industry analyst with InfoWorld’s Test Center, five years as director of IT for both state www.it-ebooks.info About the Authors vii and local California government, two years as owner of his own IT consultancy, and two years in IT with the University of Colorado, Boulder. McClure holds a bachelor’s degree in psychology and philosophy, with an emphasis in computer science applications from the University of Colorado, Boulder. He later earned numerous certifications including ISC2’s CISSP, Novell’s CNE, and Check Point’s CCSE. Joel Scambray, CISSP Joel Scambray is co-founder and CEO of Consciere, a provider of strategic security advisory services. He has assisted companies ranging from newly minted startups to members of the Fortune 50 in addressing information security challenges and opportunities for over a dozen years. Scambray’s background includes roles as an executive, technical consultant, and entrepreneur. He was a senior director at Microsoft Corporation, where he led Microsoft’s online services security efforts for three years before joining the Windows platform and services division to focus on security technology architecture. Joel also co-founded security software and services startup Foundstone, Inc., and helped lead it to acquisition by McAfee for $86M. He has also held positions as a Manager for Ernst & Young, Chief Strategy Officer for Leviathan, security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine, and director of IT for a major commercial real estate firm. Joel Scambray has co-authored Hacking Exposed: Network Security Secrets & Solutions since helping create the book in 1999. He is also lead author of the Hacking Exposed Windows and Hacking Exposed Web Applications series (both from McGraw-Hill Professional). Scambray brings tremendous experience in technology development, IT operations security, and consulting to clients ranging from small startups to the world’s largest enterprises. He has spoken widely on information security at forums including Black Hat, I-4, and The Asia Europe Meeting (ASEM), as well as organizations including CERT, The Computer Security Institute (CSI), ISSA, ISACA, SANS, private corporations, and government agencies such as the Korean Information Security Agency (KISA), FBI, and the RCMP. Scambray holds a bachelor’s of science from the University of California at Davis, an MA from UCLA, and he is a Certified Information Systems Security Professional (CISSP). George Kurtz, CISSP, CISA, CPA Former CEO of Foundstone and current Senior Vice President & General Manager of McAfee’s Risk & Compliance Business Unit, George Kurtz is an internationally recognized security expert, author, and entrepreneur, as well as a frequent speaker at most major industry conferences. Kurtz has over 16 years of experience in the security space and has helped hundreds of large organizations and government agencies tackle the most demanding security problems. He has been quoted or featured in many major publications, media outlets, and television programs, including CNN, Fox News, ABC World News, Associated Press, USA Today, Wall Street Journal, The Washington Post, Time, ComputerWorld, eWeek, CNET, and others. www.it-ebooks.info viii Hacking Exposed 6: Network Security Secrets & Solutions George Kurtz is currently responsible for driving McAfee’s worldwide growth in the Risk & Compliance segments. In this role, he has helped transform McAfee from a point product company to a provider of Security Risk Management and Compliance Optimization solutions. During his tenure, McAfee has significantly increased its overall enterprise average selling price (ASP) and its competitive displacements. Kurtz formerly held the position of SVP of McAfee Enterprise, where he was responsible for helping to drive the growth of the enterprise product portfolio on a worldwide basis. Prior to his role at McAfee, Kurtz was CEO of Foundstone, Inc., which was acquired by McAfee in October 2004. In his position as CEO, Kurtz brought a unique combination of business acumen and technical security know-how to Foundstone. Having raised over $20 million in financing, Kurtz positioned the company for rapid growth and took the company from startup to over 135 people and in four years. Kurtz’s entrepreneurial spirit positioned Foundstone as one of the premier “pure play” security solutions providers in the industry. Prior to Foundstone, Kurtz served as a senior manager and the national leader of Ernst & Young’s Security Profiling Services Group. During his tenure, Kurtz was responsible for managing and performing a variety of eCommerce-related security engagements with clients in the financial services, manufacturing, retailing, pharmaceuticals, and high technology industries. He was also responsible for co- developing the “Extreme Hacking” course. Prior to joining Ernst & Young, he was a manager at Price Waterhouse, where he was responsible for developing their network- based attack and penetration methodologies used around the world. Under George Kurtz’s direction, he and Foundstone have received numerous awards, including Inc.’s “Top 500 Companies,” Software Council of Southern California’s “Software Entrepreneur of the Year 2003” and “Software CEO of the Year 2005,” Fast Company’s “Fast 50,” American Electronics Association’s “Outstanding Executive,” Deloitte’s “Fast 50,” Ernst & Young’s “Entrepreneur of the Year Finalist,” Orange County’s “Hottest 25 People,” and others. Kurtz holds a bachelor of science degree from Seton Hall University. He also holds several industry designations, including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified Public Accountant (CPA). He was recently granted Patent #7,152,105 - “System and method for network vulnerability detection and reporting.” Additional patents are still pending. About the Contributing Authors Nathan Sportsman is an information security consultant whose experience includes positions at Foundstone, a division of McAfee; Symantec; Sun Microsystems; and Dell. Over the years, Sportsman has had the opportunity to work across all major verticals and his clients have ranged from Wall St. and Silicon Valley to government intelligence agencies and renowned educational institutions. His work spans several service lines, but he specializes in software and network security. Sportsman is also a frequent public speaker. He has lectured on the latest hacking techniques for the National Security Agency, served as an instructor for the Ultimate Hacking Series at Black Hat, and is a regular presenter for various security organizations such as ISSA, Infragard, and www.it-ebooks.info About the Authors ix OWASP. Sportsman has developed several security tools and was a contributor to the Solaris Software Security Toolkit (SST). Industry designations include the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler (GCIH). Sportsman holds a bachelor’s of science in electrical and computer engineering from The University of Texas at Austin. Brad Antoniewicz is the leader of Foundstone’s network vulnerability and assessment penetration service lines. He is a senior security consultant focusing on internal and external vulnerability assessments, web application penetration, firewall and router configuration reviews, secure network architectures, and wireless hacking. Antoniewicz developed Foundstone’s Ultimate Hacking wireless class and teaches both Ultimate Hacking Wireless and the traditional Ultimate Hacking classes. Antoniewicz has spoken at many events, authored various articles and whitepapers, and developed many of Foundstone’s internal assessment tools. Jon McClintock is a senior information security consultant located in the Pacific Northwest, specializing in application security from design through implementation and into deployment. He has over ten years of professional software experience, covering information security, enterprise and service-oriented software development, and embedded systems engineering. McClintock has worked as a senior software engineer on Amazon.com’s Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices. Prior to Amazon, Jon developed software for mobile devices and low-level operating system and device drivers. He holds a bachelor’s of science in computer science from California State University, Chico. Adam Cecchetti has over seven years of professional experience as a security engineer and researcher. He is a senior security consultant for Leviathan Security Group located in the Pacific Northwest. Cecchetti specializes in hardware and application penetration testing. He has led assessments for the Fortune 500 in a vast array of verticals. Prior to consulting, he was a lead security engineer for Amazon.com, Inc. Cecchetti holds a master’s degree in electrical and computer engineering from Carnegie Mellon University. About the Tech Reviewer Michael Price, research manager for McAfee Foundstone, is currently responsible for content development for the McAfee Foundstone Enterprise vulnerability management product. In this role, Price works with and manages a global team of security researchers responsible for implementing software checks designed to detect the presence of vulnerabilities on remote computer systems. He has extensive experience in the information security field, having worked in the areas of vulnerability analysis and security software development for over nine years. www.it-ebooks.info [...]... 7 43 79 Part II System Hacking ▼ 4 Hacking Windows 157 ▼ 5 Hacking Unix 223 Part III Infrastructure Hacking ▼ ▼ ▼ ▼ 6 7 8 9 Remote Connectivity and VoIP Hacking Network Devices Wireless Hacking Hacking Hardware ... Hardware 315 387 445 493 Part IV Application and Data Hacking ▼ 10 Hacking Code 519 ▼ 11 Web Hacking 543 ▼ 12 Hacking the Internet User 585 xi www.it-ebooks.info xii Hacking Exposed 6: Network Security Secrets & Solutions Part V Appendixes ▼ A Ports ... Brute-Force Scripting—The Homegrown Way A Final Note About Brute-Force Scripting PBX Hacking Voicemail Hacking Virtual Private Network (VPN) Hacking Basics of IPSec VPNs Voice over IP Attacks ... participant, leverage the valuable insights Hacking Exposed 6 provides to help yourself, your company, and your country fight cybercrime —Dave DeWalt President and CEO, McAfee, Inc www.it-ebooks.info ACKNOWLEDGMENTS T he authors of Hacking Exposed 6 would like to sincerely thank the incredible McGraw-Hill Professional editors and production staff who worked on the sixth edition, including Jane Brownlow and... motivation and opportunity to do bad things, turns his or her attention your way Then watch the light bulbs go off… xxv www.it-ebooks.info xxvi Hacking Exposed 6: Network Security Secrets & Solutions What’s New in the Sixth Edition Our infinite mission with Hacking Exposed is to continually update and provide security analysis of the latest technologies for the network, host, application, and database... configurations, hacking IPsec VPN servers, attacking IKE Aggressive Mode, SIP scanning and enumeration, SIP flooding hacks, and TFTP tricks to discover VoIP treasures • New footprinting, scanning, and enumeration techniques that can go completely undetected • Newly condensed denial of service appendix giving you only what you need to know • Updated coverage of Hacking the Internet User” and Hacking Code”... target, 10 being superuser-account compromise or equivalent Risk Rating: The overall risk rating (average of the preceding three values) To Everyone Message to all readers: as with all prior editions of Hacking Exposed, take the book in chunks, absorb its rich content in doses, and test everything we show you There is no better way to learn than to “do.” Take all the prescriptive text we have accumulated... Summary 447 447 453 458 462 463 466 470 471 472 475 476 477 478 479 480 484 486 487 488 491 ▼ 9 Hacking Hardware 493 Physical Access: Getting in the Door Hacking Devices Default Configurations Owned Out of the Box... Summary 494 501 505 505 505 506 506 506 508 510 513 514 www.it-ebooks.info Contents Part IV Application and Data Hacking Case Study: Session Riding 516 ▼ 10 Hacking Code 519 Common Exploit Techniques Buffer Overflows and Design Flaws ... Recommended Further Reading Summary 520 520 527 530 530 532 539 541 542 ▼ 11 Web Hacking 543 Web Server Hacking Sample Files Source Code Disclosure Canonicalization . hacking. Antoniewicz developed Foundstone’s Ultimate Hacking wireless class and teaches both Ultimate Hacking Wireless and the traditional Ultimate Hacking. . 79 Part II System Hacking ▼ 4 Hacking Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 ▼ 5 Hacking Unix . . . .