Hacking exposed

Đây là bộ sách tiếng anh cho dân công nghệ thông tin chuyên về bảo mật,lập trình.Thích hợp cho những ai đam mê về công nghệ thông tin,tìm hiểu về bảo mật và lập trình.

Copyright © 2012 by The McGraw-Hill Companies,Inc All rights reserved Except as permitted under theUnited States Copyright Act of 1976, no part of thispublication may be reproduced or distributed in anyform or by any means, or stored in a database orretrieval system, without the prior written permission

All trademarks are trademarks of their respectiveowners Rather than put a trademark symbol afterevery occurrence of a trademarked name, we usenames in an editorial fashion only, and to the benefit ofthe trademark owner, with no intention of infringement

of the trademark Where such designations appear inthis book, they have been printed with initial caps

McGraw-Hill eBooks are available at special quantitydiscounts to use as premiums and sales promotions, orfor use in corporate training programs To contact arepresentative please e-mail us at bulksales@mcgraw-hill.com.

Information has been obtained by McGraw-Hill fromsources believed to be reliable However, because ofthe possibility of human or mechanical error by oursources, McGraw-Hill, or others, McGraw-Hill doesnot guarantee the accuracy, adequacy, or

completeness of any information and is not responsiblefor any errors or omissions or the results obtainedfrom the use of such information

TERMS OF USE

This is a copyrighted work and The McGraw-HillCompanies, Inc (“McGraw-Hill”) and its licensorsreserve all rights in and to the work Use of this work

is subject to these terms Except as permitted underthe Copyright Act of 1976 and the right to store andretrieve one copy of the work, you may not

decompile, disassemble, reverse engineer, reproduce,modify, create derivative works based upon, transmit,distribute, disseminate, sell, publish or sublicense thework or any part of it without McGraw-Hill’s priorconsent You may use the work for your own

noncommercial and personal use; any other use of thework is strictly prohibited Your right to use the workmay be terminated if you fail to comply with theseterms

THE WORK IS PROVIDED “AS IS.” HILL AND ITS LICENSORS MAKE NO

McGRAW-GUARANTEES OR WARRANTIES AS TO THEACCURACY, ADEQUACY OR

COMPLETENESS OF OR RESULTS TO BEOBTAINED FROM USING THE WORK,

INCLUDING ANY INFORMATION THAT CAN

BE ACCESSED THROUGH THE WORK VIAHYPERLINK OR OTHERWISE, AND

EXPRESSLY DISCLAIM ANY WARRANTY,EXPRESS OR IMPLIED, INCLUDING BUT NOTLIMITED TO IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE McGraw-Hill and itslicensors do not warrant or guarantee that the

functions contained in the work will meet your

requirements or that its operation will be uninterrupted

or error free Neither McGraw-Hill nor its licensorsshall be liable to you or anyone else for any

inaccuracy, error or omission, regardless of cause, inthe work or for any damages resulting therefrom.McGraw-Hill has no responsibility for the content ofany information accessed through the work Under nocircumstances shall McGraw-Hill and/or its licensors

be liable for any indirect, incidental, special, punitive,consequential or similar damages that result from theuse of or inability to use the work, even if any of themhas been advised of the possibility of such damages.This limitation of liability shall apply to any claim orcause whatsoever whether such claim or cause arises

in contract, tort or otherwise

To my amazing boys (who hack me on a daily basis), I love you beyond words FANMW… URKSHI To my Dawn, for her seemingly endless patience and love—I never knew the meaning of both until you And to the new girls in my life,

Jessica and Jillian… I love you.

called—few are chosen…”

—George Kurtz

ABOUT THE AUTHORS

Stuart McClure

Stuart McClure, CNE, CCSE, is the CEO/President ofCylance, Inc., an elite global security services andproducts company solving the world’s most difficultsecurity problems for the most critical companiesaround the globe Prior to Cylance, Stuart was GlobalCTO for McAfee/Intel, where he was responsible for anearly $3B consumer and corporate security products’business During his tenure at McAfee, Stuart McClurealso held the General Manager position for the SecurityManagement Business for McAfee/Intel, which enabledall McAfee corporate security products to be

operationalized, managed, and measured Alongside

those roles, Stuart McClure ran an elite team of goodguy hackers inside McAfee called TRACE that

discovered new vulnerabilities and emerging threats.Before McAfee, Stuart helped run security at the largesthealthcare company in the U.S., Kaiser Permanente In

1999, Stuart was also the original founder of

Foundstone, Inc., a global consulting and productscompany, which was acquired by McAfee in 2004

Stuart is the creator, lead author, and original

founder of the Hacking Exposed™ series of books

and has been hacking for the good guys for over 25years Widely recognized and asked to present hisextensive and in-depth knowledge of hacking andexploitation techniques, Stuart is considered one of theindustry’s leading authorities on information security risktoday A well-published and acclaimed security

visionary, McClure brings a wealth of technical andexecutive leadership with a profound understanding ofboth the threat landscape and the operational andfinancial risk requirements to be successful in today’sworld

Joel Scambray

Joel is a Managing Principal at Cigital, a leadingsoftware security firm established in 1992 He hasassisted companies ranging from newly minted startups

to members of the Fortune 500 to address informationsecurity challenges and opportunities for over 15 years

Joel’s background includes roles as an executive,technical consultant, and entrepreneur He cofoundedand led information security consulting firm Conscierebefore it was acquired by Cigital in June 2011 He hasbeen a Senior Director at Microsoft Corporation,where he provided security leadership in Microsoft’sonline services and Windows divisions Joel alsocofounded security software and services startupFoundstone, Inc and helped lead it to acquisition by

McAfee in 2004 He previously held positions as aManager for Ernst & Young, security columnist for

Microsoft TechNet, Editor at Large for InfoWorld Magazine, and Director of IT for a major commercial

government agencies, including the FBI and the RCMP.Joel holds a BS from the University of California atDavis, an MA from UCLA, and he is a CertifiedInformation Systems Security Professional (CISSP)

George Kurtz

George Kurtz, CISSP, CISA, CPA, is cofounder andCEO of CrowdStrike, a cutting-edge big data securitytechnology company focused on helping enterprises andgovernments protect their most sensitive intellectualproperty and national security information George isalso an internationally recognized security expert,author, entrepreneur, and speaker He has almost 20years of experience in the security space and has helpedhundreds of large organizations and government

agencies around the world tackle the most demandingsecurity problems His entrepreneurial background andability to commercialize nascent technologies hasenabled him to drive innovation throughout his career byidentifying market trends and correlating them withcustomer feedback, resulting in rapid growth for thebusinesses he has run

In 2011, George relinquished his role as McAfee’sWorldwide Chief Technology Officer to his co-authorand raised $26M in venture capital to create

CrowdStrike During his tenure as McAfee’s CTO,Kurtz was responsible for driving the integrated securityarchitectures and platforms across the entire McAfeeportfolio Kurtz also helped drive the acquisitionstrategy that allowed McAfee to grow from $1b inrevenue in 2007 to over $2.5b in 2011 In one of thelargest tech M&A deals in 2011, Intel (INTC) acquiredMcAfee for nearly $8b Prior to joining McAfee, Kurtzwas Chief Executive Officer and cofounder of

Foundstone, Inc., which was acquired by McAfee inOctober 2004 You can follow George on Twitter

@george_kurtz or his blog at securitybattlefield.com

About the Contributing Authors

Christopher Abad is a security researcher at McAfee

focusing on embedded threats He has 13 years ofprofessional experience in computer security researchand software and hardware development and studied

mathematics at UCLA He has contributed to numeroussecurity products and has been a frequent speaker atvarious security conferences over the years.

Brad Antoniewicz works in Foundstone’s security

research division to uncover flaws in popular

technologies He is a contributing author to both the

Hacking Exposed™ and Hacking Exposed™

Wireless series of books and has authored various

internal and external Foundstone tools, whitepapers,and methodologies

Christiaan Beek is a principal architect on the

McAfee Foundstone Services team As such, he serves

as the practice lead for the Incident Response andForensics services team in EMEA He has performednumerous forensic investigations from system

compromise, theft, child pornography, malware

infections, Advanced Persistent Threats (APT), andmobile devices

Carlos Castillo is a Mobile Malware Researcher at

McAfee, an Intel company, where he performs staticand dynamic analysis of suspicious applications to

support McAfee’s Mobile Security for Android

product Carlos’ recent research includes dissection ofthe Android Market malware DroidDream, and he isthe author of “Android Malware Past, Present, andFuture,” a whitepaper published by McAfee Carlosalso is an active blogger on McAfee Blog Central Prior

to McAfee, Carlos performed security complianceaudits for the Superintendencia Financiera of Colombia.Before that, Carlos worked at a security startup EasySolutions, Inc., where he conducted penetration tests

on web applications, helped shut down phishing andmalicious websites, supported security and networkappliances, performed functional software testing, andassisted in research and development related to anti-electronic fraud Carlos joined the world of malwareresearch when he won ESET Latin America’s “BestAntivirus Research” contest His winning paper wasentitled “Sexy View: The Beginning of Mobile Botnets.”Carlos holds a degree in Systems Engineering from theUniversidad Javeriana in Bogotá, Colombia

Carric Dooley has been working primarily in

information security since 1997 He originally joined the

Foundstone Services team in March 2005 after fiveyears on the ISS Professional Services team Currently

he is building the Foundstone Services team in EMEAand lives in the UK with his lovely wife, Michelle, andthree children He has led hundreds of assessments ofvarious types for a wide range of verticals, and regularlyworks with globally recognized banks, petrochemicals,and utilities, and consumer electronics companies inEurope and the Middle East You may have met Carric

at either the Black Hat (Vegas/Barcelona/Abu Dhabi)

or Defcon conferences, where he has been on staff andtaught several times, in addition to presenting at Defcon16

Max Klim is a security consultant with Cigital, a

leading software security company founded in 1992.Prior to joining Cigital, Max worked as a securityconsultant with Consciere Max has over nine years ofexperience in IT and security, having served bothFortune 500 organizations and startups He has

extensive experience in penetration testing, digitalforensics, incident response, compliance, and networkand security engineering Max holds a Bachelor of

Applied Science in Information Technology

Management from Central Washington University and is

an Encase Certified Examiner (EnCE), Certified

Information Systems Security Professional (CISSP),and holds several Global Information Assurance

Certification (GIAC) credentials

Tony Lee has over eight years of professional

experience pursuing his passion in all areas of

information security He is currently a Principal SecurityConsultant at Foundstone Professional Services (adivision of McAfee), in charge of advancing many of thenetwork penetration service lines His interests of lateare Citrix and kiosk hacking, post exploitation, andSCADA exploitation As an avid educator, Tony hasinstructed thousands of students at many venues

worldwide, including government agencies, universities,corporations, and conferences such as Black Hat Hetakes every opportunity to share knowledge as a leadinstructor for a series of classes that includes

Foundstone’s Ultimate Hacking (UH), UH: Windows,UH: Expert, UH:Wireless, and UH: Web He holds aBachelor of Science in Computer Engineering from

Virginia Tech (Go Hokies!) and Master of Science inSecurity Informatics from The Johns Hopkins

University

Slavik Markovich has over 20 years of experience

in infrastructure, security, and software development.Slavik cofounded Sentrigo, the database securitycompany recently acquired by McAfee Prior to co-founding Sentrigo, Slavik served as VP R&D and ChiefArchitect at db@net, a leading IT architecture

consultancy Slavik has contributed to open sourceprojects and is a regular speaker at industry

conferences

Hernan Ochoa is a security consultant and

researcher with over 15 years of professional

experience Hernan is the founder of Amplia Security,provider of information security–related services,including network, wireless, and web applicationpenetration tests, standalone/client-server applicationblack-box assessments, source code audits, reverseengineering, and vulnerability analysis Hernan began hisprofessional career in 1996 with the creation of VirusSentinel, a signature-based file/memory/mbr/boot sector

detection/removal antivirus application with heuristics todetect polymorphic viruses Hernan also developed adetailed technical virus information database andcompanion newsletter He joined Core Security

Technologies in 1999 and worked there for 10 years invarious roles, including security consultant and exploitwriter performing diverse types of security assessments,developing methodologies, shellcode, and securitytools, and contributing new attack vectors He alsodesigned and developed several low-level/kernelcomponents for a multi-OS security system ultimatelydeployed at a financial institution, and served as

“technical lead” for ongoing development and support

of the multi-OS system Hernan has published a number

of security tools and presented his work at severalinternational security conferences including Black Hat,Hack in the Box, Ekoparty, and RootedCon

Dr (Shane) Shook is a Senior Information Security

advisor and SME who has architected, built, andoptimized information security implementations Heconducts information security audits and vulnerabilityassessments, business continuity planning, disaster

recovery testing, and security incident response,including computer forensics analysis and malwareassessment He has provided expert testimony ontechnical issues in criminal, class action, IRS, SEC,EPA, and ITC cases, as well as state and federaladministrative matters.

Nathan Sportsman is the founder and CEO of

Praetorian, a privately held, multimillion-dollar securityconsulting, research, and product company He hasextensive experience in information security and hasconsulted across most industry sectors with clientsranging from the NASDAQ stock exchange to theNational Security Agency Prior to founding Praetorian,Nathan held software development and consultingpositions at Sun Microsystems, Symantec, and

McAfee Nathan is a published author, US patentholder, NIST individual contributor, and DoD clearedresource Nathan holds a degree in Electrical &

Computer Engineering from The University of Texas

About the Technical Reviewers

Ryan Permeh is chief scientist at McAfee He works

with the Office of the CTO to envision how to protectagainst the threats of today and tomorrow He is avulnerability researcher, reverse engineer, and exploiterwith 15 years of experience in the field Ryan hasspoken at several security and technology conferences

on advanced security topics, published many blogs andarticles, and contributed to books on the subject

Mike Price is currently chief architect for iOS at

Appthority, Inc In this role, Mike focuses full time onresearch and development related to iOS operatingsystem and application security Mike was previouslySenior Operations Manager for McAfee Labs inSantiago, Chile In this role, Mike was responsible forensuring smooth operation of the office, working withexternal entities in Chile and Latin America and

generally promoting technical excellence and innovationacross the team and region Mike was a member of theFoundstone Research team for nine years Mostrecently, he was responsible for content developmentfor the McAfee Foundstone Enterprise vulnerabilitymanagement product In this role, Mike worked with

and managed a global team of security researchersresponsible for implementing software checks designed

to detect the presence of operating system and

application vulnerabilities remotely He has extensiveexperience in the information security field, havingworked in the area of vulnerability analysis and infosec-related R&D for nearly 13 years Mike is also

cofounder of the 8.8 Computer Security Conference,held annually in Santiago, Chile Mike was also acontributor to Chapter 11

6 Cybercrime and Advanced Persistent Threats

Part III Infrastructure Hacking

7 Remote Connectivity and VoIP Hacking

8 Wireless Hacking

9 Hacking Hardware

Part IV Application and Data Hacking

10 Web and Database Hacking

11 Mobile Hacking

12 Countermeasures Cookbook

Part V Appendixes

A Ports

B Top 10 Security Vulnerabilities

C Denial of Service (DoS) and Distributed Denial

of Service (DDoS) Attacks

Index

Step 3: Publicly Available InformationStep 4: WHOIS & DNS EnumerationStep 5: DNS Interrogation

Step 6: Network ReconnaissanceSummary

2 Scanning

Determining If the System Is Alive

ARP Host Discovery

ICMP Host Discovery

TCP/UDP Host Discovery

Determining Which Services Are Running orListening

Scan Types

Identifying TCP and UDP ServicesRunning

Detecting the Operating System

Making Guesses from Available PortsActive Stack Fingerprinting

Passive Stack Fingerprinting

Processing and Storing Scan Data

Managing Scan Data with MetasploitSummary

3 Enumeration

Service Fingerprinting

Vulnerability Scanners

Basic Banner Grabbing

Enumerating Common Network ServicesSummary

Part II Endpoint and Server Hacking

Case Study: International Intrigue

Authenticated Attacks

Privilege Escalation

Extracting and Cracking PasswordsRemote Control and Back DoorsPort Redirection

Data Execution Prevention (DEP)Windows Service Hardening

6 Cybercrime and Advanced Persistent ThreatsWhat Is an APT?

Operation Aurora

Anonymous

RBN

What APTs Are NOT?

Examples of Popular APT Tools and

Techniques

Common APTs Indicators

Summary

Part III Infrastructure Hacking

Case Study: Read It and WEP

7 Remote Connectivity and VoIP HackingPreparing to Dial Up

Wardialing

Hardware

Legal Issues

Peripheral Costs

Software

Brute-Force Scripting—The Homegrown Way

A Final Note About Brute-Force

Hacking the Citrix VPN Solution

Voice over IP Attacks

Wireless Adapters

Operating Systems

Miscellaneous GoodiesDiscovery and Monitoring

Finding Wireless NetworksSniffing Wireless TrafficDenial of Service Attacks

Standard Passwords

Bluetooth

Reverse Engineering HardwareMapping the Device

Sniffing Bus Data

Sniffing the Wireless InterfaceFirmware Reversing

Hacking Your Android

Hacking Other Androids

Android as a Portable Hacking PlatformDefending Your Android

iOS

Know Your iPhone

How Secure Is iOS?

Jailbreaking: Unleash the Fury!

Hacking Other iPhones: Fury Unleashed!Summary

Policy and Training

Simple, Cheap, and Easy

B Top 10 Security Vulnerabilities

C Denial of Service (DoS) and Distributed Denial

of Service (DDoS) Attacks

Countermeasures

Index

The term cyber-security and an endless list of words

prefixed with “cyber” bombard our senses daily

Widely discussed but often poorly understood, thevarious terms relate to computers and the realm ofinformation technology, the key enablers of our

interrelated and interdependent world of today

Governments, private and corporate entities, andindividuals are increasingly aware of the challenges andthreats to a wide range of our everyday online activities.Worldwide reliance on computer networks to store,access, and exchange information has increased

exponentially in recent years Include the almost

universal dependence on computer-operated or

computer-assisted infrastructure and industrial

mechanisms, and the magnitude of the relationship ofcyber to our lives becomes readily apparent

The impact of security breaches runs the gamut frominconvenience to severe financial losses to national

insecurity Hacking is the vernacular term, widely

accepted as the cause of these cyber insecurities, whichrange from the irritating but relatively harmless activities

of youthful pranksters to the very damaging,

sophisticated, targeted attacks of state actors andmaster criminals

Previous editions of Hacking Exposed™ have been

widely acclaimed as foundation documents in security and are staples in the libraries of IT

cyber-professionals, tech gurus, and others interested inunderstanding hackers and their methods But theauthors know that remaining relevant in the fast-

changing realm of IT security requires agility, insight,and deep understanding about the latest hacking

activities and methods “Rise and rise again…,” from

the movie Robin Hood, is a most appropriate

exhortation to rally security efforts to meet the relentlessassaults of cyber hackers

This Seventh Edition of the text provides updates onenduring issues and adds important new chapters aboutAdvanced Persistent Threats (APTs), hardware, andembedded systems Explaining how hacks occur, whatthe perpetrators are doing, and how to defend against

them, the authors cover the horizon of computer

security Given the popularity of mobile devices andsocial media, today’s netizens will find interestingreading about the vulnerabilities and insecurities of thesecommon platforms

The prerequisite for dealing with these issues of ITand computer security is knowledge First, we mustunderstand the architectures of the systems we are usingand the strengths and weaknesses of the hardware andsoftware Next, we must know the adversaries: whothey are and what they are trying to do In short, weneed intelligence about the threats and the foes,

acquired through surveillance and analysis, before wecan begin to take effective countermeasures Thisvolume provides the essential foundation and empowersthose who really care about cyber-security

If we get smart and learn about ourselves, ourdevices, our networks, and our adversaries, we will findourselves on a path to success in defending our cyberendeavors What remains is the reality of change: theemergence of new technologies and techniques and the