“Ryan Russell has an important message for us all: ‘What you don’t know will hurt you…’“ — Kevin Mitnick NETWORK HACK PROOFING YOUR INTERNET TRADECRAFT Ryan Russell, SecurityFocus.com Stace Cunningham, CLSE, COS/2E, CLSI, COS/2I, CLSA Foreword by Mudge, Security Advisor to the White House and Congress “This book provides a bold, unsparing tour of information security that never swerves from the practical.” —Kevin L. Poulsen Editorial Director SecurityFocus.com THE ONLY WAY TO STOP A HACKER IS TO THINK LIKE ONE: Rain Forest Puppy Elias Levy, Bugtraq Blue Boar, Vuln-dev Dan “Effugas” Kaminsky, Cisco Systems Oliver Friedrichs, SecurityFocus.com Riley “Caesar” Eller, Internet Security Advisors Greg Hoglund, Click To Secure Jeremy Rauch Georgi Guninski 95_pgwFP.qx 11/22/00 12:45 PM Page 1 With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created solutions@syngress.com , a service that includes the following features: ■ A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters. ■ Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for solutions@syngress.com . ■ Regularly updated links to sites that our editors have determined offer valuable additional information on key topics. ■ Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors. Once you've purchased this book, browse to www.syngress.com/solutions . To register, you will need to have the book handy to verify your purchase. Thank you for giving us the opportunity to serve you. solutions@syngress.com 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page i 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page ii HACK PROOFING NETWORK: INTERNET TRADECRAFT YOUR 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or pro- duction (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limi- tation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” and “Mission Critical™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 AB7153MGC6 002 KTY864GHPL 003 SRS587EPHN 004 TYP244KBGK 005 468ZJRHGM9 006 1LBVBC7466 007 6724ED1M84 008 CCVX153SCC 009 MKM719ACK 010 NJGMB98445 PUBLISHED BY Syngress Media, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your Network: Internet Tradecraft Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publica- tion. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-15-6 Product Line Manager: Kate Glennon Index by: Robert Saigh Technical Edit by: Stace Cunningham Copy Edit by: Beth Roberts and Ryan Russell Proofreading by: Adrienne Rebello and Ben Chadwick Co-Publisher: Richard Kristof Page Layout and Art: Reuben Kantor and Kate Glennon Distributed by Publishers Group West 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page iv We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel, Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for making certain that our vision remains worldwide in scope. Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of Harcourt Australia for all their help. David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Special thanks to the professionals at Osborne with whom we are proud to publish the best-selling Global Knowledge Certification Press series. v Acknowledgments 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page v At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from pro- viding instructor-led training to hundreds of thousands of students world- wide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the first time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards, Duncan Anderson President and Chief Executive Officer, Global Knowledge vi From Global Knowledge 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page vi vii Ryan Russell has been working in the IT field for over ten years, the last five of which have been spent primarily in information security. He has been an active participant in various security mailing lists, such as Bugtraq, for years. Ryan has served as an expert witness, and has done internal security investi- gation for a major software vendor. Ryan has contributed to three other Syngress books, on the topics of networking. He has a degree in computer sci- ence from San Francisco State University. Ryan is presently employed by SecurityFocus.com. Ryan would like to dedicate his portion of the work to his wife, Sara, for putting up with him while he finished this book. Introduction, Chapters 1, 2, 4, 5, 10, and 13 Blue Boar has been interested in computer security since he first discovered that a Northstar multiuser CP/M system he worked on as a high school freshman had no memory protection, so all the input and output from all terminals were readable by any user. Many years ago he founded the Thievco Main Office BBS, which he ran until he left home for college. Recently, Blue Boar was resurrected by his owner for the purpose of publishing security information that his owner would rather not have associated with himself or his employers. Blue Boar is best known currently as the moderator of the vuln-dev mailing list (vuln-dev@securityfocus.com) which is dedicated to the open investigation and development of security holes. Contributed to Chapter 6 Riley (caezar) Eller is a Senior Security Engineer for the Internet Security Advisors Group, where he works on penetration and security tool develop- ment. He has extensive experience in operating system analysis and design, reverse engineering, and defect correction in closed-source and proprietary operating systems, without the benefit of having access to the source code. Mr. Eller is the first to reveal ASCII-armored stack overflow exploits. Prior to his employment with ISAG, Mr. Eller spent six years developing operating systems for Internet embedded devices. His clients have included government and mili- tary contractors and agencies, as well as Fortune 500 companies, worldwide. Products on which he has worked have been deployed on systems as varied as Enterprise Desktop, Global Embedded Internet, Hard Time Real Analyses and Contributors 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page vii Single Tasking Data Collection. Mr. Eller has spoken about his work at infor- mation security industry conferences such as Black Hat, both in the United States and in Asia. He is also a frequent panel member for the “Meet the Enemy” discussion groups. Contributed to Chapter 8 Georgi Guninski is a security consultant in Bulgaria. He is a frequent con- tributor to security mailing lists such as Bugtraq, where he is well-known for his discovery of numerous client-side holes, frequently in Internet Explorer. In 1997, he created the first buffer overflow exploits for AIX. Some of his most visible work has included numerous exploits that could affect subscribers of Microsoft’s Hotmail service. He is frequently quoted in news articles. Georgi holds an MA in international economic relations from the University of National and World Economy in Bulgaria. His web page can be found at www.nat.bg/~joro. Contributed to Chapter 13 Oliver Friedrichs has over ten years of experience in the information security industry, ranging from development to management. Oliver is a co-founder of the information security firm SecurityFocus.com. Previous to founding SecurityFocus.com, Oliver was a co-founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. Post acquisition, Oliver managed the development of Network Associates’s award-winning CyberCop Scanner network auditing product, and managed Network Associates’ vulnerability research team. Oliver has delivered training on computer security issues for organizations such as the IRS, FBI, Secret Service, NASA, TRW, Canadian Department of Defense, RCMP and CSE. Chapter 9 Greg Hoglund is a software engineer and researcher. He has written several successful security products for Windows NT. Greg also operates the Windows NT Rootkit project, located at www.rootkit.com. He has written several white papers on content-based attacks, kernel patching, and forensics. Currently he works as a founder of Click To Secure, Inc., building new security and quality- assurance tools. His web site can be found at www.clicktosecure.com. He would like to thank all the Goons of DefCon, Riley (caezar) Eller, Jeff Moss, Dominique Brezinski, Mike Schiffman, Ryan Russell, and Penny Leavy. Chapter 8 viii 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page viii Dan Kaminsky , also known as “Effugas”, primarily spends his time designing security infrastructure and cryptographic solutions for Cisco Systems’ Advanced Network Services division. He is also the founder of the multi- disciplinary DoxPara Research (www.doxpara.com), and has spent several years studying both the technological and psychological impacts of networked systems as deployed in imperfect but real user environments. His primary field of research at the present is known as Gateway Cryptography, which seeks ideal methodologies to securely traverse non-ideal networks. Chapter 11 Elias Levy is the moderator of Bugtraq, one of the most read security mailing lists on the Internet, and a co-founder of Security Focus. Throughout his career, Elias has served as computer security consultant and security engineer for some of the largest corporations in the United States, and outside of the computer security industry, he has worked as a UNIX software developer, a network engineer, and system administrator. Chapter 15 Mudge is the former CEO and Chief Scientist of renowned ‘hacker think-tank’ the L0pht, and is considered the nation’s leading ‘grey-hat hacker.’ He and the original members of the L0pht are now heading up @stake’s research labs, ensuring that the company is at the cutting edge of Internet security. Mudge is a widely sought-after keynote speaker in various forums, including analysis of electronic threats to national security. He has been called to testify before the Senate Committee on Governmental Affairs and to be a witness to the House and Senate joint Judiciary Oversight committee. Mudge has briefed a wide range of members of Congress and has conducted training courses for the Department of Justice, NASA, the US Air Force, and other government agencies. In February, following the wave of denial of service attacks on con- sumer web sites, Mudge participated in President Clinton’s security summit at the White House. He joined a small group of high tech executives, privacy experts, and government officials to discuss Internet security. A recognized name in crytpanalysis, Mudge has co-authored papers with Bruce Schneier that were published in the 5th ACM Conference on Computer and Communications Security, and the Secure Networking – CQRE International Exhibition and Congress. He is the original author of L0phtCrack, the award winning NT password auditing tool. In addition, Mudge co-authored AntiSniff, the world’s first com- mercial remote promiscuous mode detection program. He has written over a dozen advisories and various tools, many of which resulted in numerous CERT advisories, vendor updates, and patches. Foreword ix 95_hack_prod_00FM.qx 7/13/00 3:41 PM Page ix [...]... the director of research and development xi 95 _hack_ prod_00FM.qx 7/13/00 3:41 PM Page xii 95 _hack_ prod_toc 7/13/00 3:43 PM Page xiii Contents Foreword xxiii Introduction xxvii Part I: Theory and Ideals Chapter 1: Politics Introduction Definitions of the Word Hacker Hacker Cracker Script Kiddie Phreak White Hat/Black Hat Grey Hat Hacktivism The Role of the Hacker Criminal Magician Security Professional... www.syngress.com xxv 95 _hack_ prod_00Foreword 7/13/00 3:45 PM Page xxvi 95 _hack_ prod_00Intro 7/13/00 3:46 PM Page xxvii Introduction This is a book about hacking It’s not a novel about a set of elusive cyberpunks, it’s a do-it-yourself manual Are we trying to tell you how to break into other people’s systems? No, we’re trying to help you make your own systems more secure by breaking into them yourself Yes, this... word hacker There are a few folks who claim that the word hacker was also used earlier among folks who experimented with old tube radio sets and amplifiers The original definition of the word hacker had to do with someone who hacked at wood, especially in reference to making furniture For a wide range of definitions, check here: www.dictionary.com/cgi-bin/dict.pl?term=hacker www.syngress.com 95 _hack_ prod_01... we’re concerned with the term hacker as it relates to computers This version of the word has come into such wide popular use that it has almost entirely eliminated the use of the word hacker for all other purposes One of the most popular definitions that hackers themselves prefer to use is from The Jargon File, a hacker-maintained dictionary of hacker terms The entry for hacker can be found here: www.tuxedo.org/~esr/jargon/html/entry/hacker.html... ourselves is a dictionary of sorts Definitions of the Word Hacker There are probably as many definitions of the word hacker as there are people who are called hackers, either by themselves or by someone else There are also a number of variants, such as cracker, script kiddie, and more We’ll go over each of the better-known words in this area Hacker The word hacker is the most contested of the bunch Most of the... carefully crafted data to both clients and servers to defeat security mechanisms This book will teach you the role of the attacker in the battle for securing your systems Why Should You Be Hacking? The short answer to this is, if you don’t hack your systems, who will? One of the tasks that nearly all information security professionals face is making a judgment on how secure a given system or software... more explicit about what type of person is being discussed Where does the word hacker come from? One of the earlier books on the subject is Hackers: Heroes of the Computer Revolution by Steven Levy You can find his summary of the book here: www.stevenlevy.com/hackers.html In this book, Mr Levy traces the origin of the word hacker to the Massachusetts Institute of Technology (MIT) in the 1950s; specifically,... and viruses www.syngress.com 95 _hack_ prod_00Intro 7/13/00 3:46 PM Page xxix Introduction Part Four, Reporting, consists of Chapter 15, and deals with what to do with a hole or exploit once you’ve discovered it Further Information As the vast majority of information sharing regarding hacking takes place via the Internet now, you’ll see many references to URLs or similar Internet information pointers in... 95 _hack_ prod_01 7/13/00 7:01 AM Page 1 Chapter 1 Politics Solutions in this chapter: s What does the word “hacker” mean? s Isn’t hacking immoral and/or illegal? s Don’t most hackers work “underground?” s Doesn’t releasing exploits help the bad guys? s Why would you teach people to do this stuff? 1 95 _hack_ prod_01 2 7/13/00 7:01 AM Page 2 Chapter 1 • Politics Introduction Before we launch into the meat... discover sensitive information by poking around Hence ‘password hacker,’ ‘network hacker.’ The correct term for this sense is cracker The Jargon File makes a distinction for a malicious hacker, and uses the term cracker Cracker The Jargon File makes reference to a seemingly derogatory term, cracker If you were viewing the above definition in your Web browser, and you clicked on the “cracker” link, you’d . Page i 95 _hack_ prod_00FM.qx 7/13/00 3:41 PM Page ii HACK PROOFING NETWORK: INTERNET TRADECRAFT YOUR 95 _hack_ prod_00FM.qx 7/13/00 3:41 PM Page iii Syngress. Syngress Media, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your Network: Internet Tradecraft Copyright © 2000 by Syngress Publishing, Inc.